NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p12 was released on 14 August 2018. It addresses 1 low-/medium-severity security issue in ntpd, 1 low-severity security issue in ntpq and ntpdc, and provides 27 non-security bugfixes and 4 other improvements over 4.2.8p11.

There are three Identity Schemes available in the NTP Reference Implemenation: IFF, GQ, and MV. See the Identity Scheme documentation for detailed information about the Identity Schemes. Although examples of server parameter generation and client parameter installation are provided for all available Identity Schemes, it is not necessary to use all of them.

Enforcement of NTP Authentication (with restrict statements) is beyond the scope of this topic

6.7.1. How To Use This Guide

Perform the server set-up before performing the client set-up

Follow each step in this guide

This guide currently only addresses the IFF identity scheme.

6.7.2. Server Set-Up

This section pertains only to systems that will be ntp servers for an NTP Trust Group; see 6.7.3. Client Set-Up for systems that will only be ntp clients. Trusted ntp servers which also operate as clients of other ntp servers may need to 6.7.3.4. Install Group/Client Keys.

6.7.2.1. Create the NTP Keys directory

Create a directory for the NTP Keys (e.g /etc/ntp.)

6.7.2.2. Edit ntp.conf

Add the following lines to ntp.conf:

crypto pw serverpassword
keysdir /etc/ntp

You may need to add the following line to ntp.conf if ntpd dies with a crypto_setup: random seed file not found error:

crypto randfile /dev/urandom

6.7.2.2.1. Broadcast and Multicast Autokey

Append autokey to the broadcast line in ntp.conf for the broadcast/multicast address that you want to authenticate with Autokey:

broadcast my.broadcast.or.multicast.address autokey

The assigned NTP Multicast address is 224.0.1.1, but other valid multicast addresses may be used.

6.7.2.3. Generate Server Parameters

The server key and certificate will be generated if they are missing when a set of parameters are generated. The server certificate will be updated when existing parameters are updated or additional parameters are generated.

The -T option for ntp-keygen should only be used by a Trusted Authority (e.g time-server) for an NTP Trust Group.

6.7.2.3.1. IFF Parameters

The IFF parameter generation process produces a server key which should not be distributed to other members of the NTP Trust Group.

Generate the IFF parameters with the following commands:

cd /etc/ntp
ntp-keygen -T -I -p serverpassword

You must export an IFF Group Key for use by the members of the Trust Group. This Group Key is unencrypted and may be handled in the same manner as a PGP/GPG public key.

Export the IFF Group Key with the following commands:

cd /etc/ntp
ntp-keygen -e -p serverpassword

The IFF Group Key will be directed to STDOUT unless you redirect it to a file. The target name of the IFF Group Key file is on one of the first lines of the output.